#!/usr/bin/env bash

## 创建 ca 证书配置
mkdir -p ~/TLS/etcd && cd ~/TLS/etcd

cat > ca-config.json << EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "www": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF

cat > ca-csr.json << EOF
{
    "CN": "etcd CA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
EOF

## 生成 ca 证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
ls

## 创建 etcd HTTPS 证书配置
cat > server-csr.json << EOF
{
    "CN": "etcd",
    "hosts": [
    "$ETCD_NODE1_IP",
    "$ETCD_NODE2_IP",
    "$ETCD_NODE3_IP"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Shanghai",
            "ST": "Shanghai"
        }
    ]
}
EOF

## 生成 etcd HTTPS 证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

echo "----------- Etcd 证书----------"
ls server*





